Construction of a secure cryptosystem based on spatiotemporal chaos and its 
application in public channel cryptography 
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By combining the one-way coupled chaotic map lattice system with a bit-reverse operation, we 
construct a new cryptosystem which is extremely sensitive to the system parameters even for low- 
dimensional systems. The security of this new algorithm is investigated and mechanism of the 
sensitivity is analyzed. We further apply this cryptosystem to the public channel cryptography, 
based on "Merkle's puzzles", by employing it both as pseudo-random- number (PN) generators and 
symmetric encryptor. With the properties of spatiotemporal chaos, the new scheme is rich with new 
features and shows some advantages in comparison with the conventional ones. 
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One serious problem in chaos synchronization 
based encryptions is that parameters close to the 
secret key can still synchronize systems to a cer- 
tain extent, and usually appears a regular struc- 
ture in the key space under the known-plaintext 
attack. In other words, there is always a key basin 
of finite width around the secret key. The keys 
in this basin are highly correlated, and the sys- 
tem security is broken once the location of the 
key basin is located and explored. Although in 
some methods, like those exploiting spatiotempo- 
ral chaos or the modulo operation, can complicate 
the cryptanalysis, system security is still vulner- 
able because the basin width increases monotoni- 
cally with the amount of known plaintext. In this 
paper, we incorporate a conventional bit opera- 
tion, the bit-reverse operation, into spatiotempo- 
ral chaos, and find that the basin width shrinks 
to zero in terms of the computational precision. 
This approach not only extends the definition of 
the secret key to the real domain and enlarges 
the capacity of the key space accordingly, but 
also overcomes the problem of correlations in key 
basin entirely. Using the proposed cryptosystem 
both as a set of pseudo-random-number (PN) 
generators and a symmetric encryptor, we fur- 
ther investigate the feasibility of public channel 
cryptography based on chaos, and propose a pro- 
totype for application. In comparison with the 
conventional methods, the new model is superior 
in many aspects: flexibility, manageability, and 
simplicity. These new features, together with the 
experimental progress in chaos-based communi- 
cation, make this scheme a good candidate for 
public channel cryptography both in software and 
hardware. 



I. INTRODUCTION 



As an important application of chaos, chaos-based se- 
cure communication and cryptographyattracted contin- 
uous interest over the last decade 0,0, 0, 0, IE IE IE 
IE EE EH E3- For convenience and flexibility, most of 
the proposed schemes are based on the phenomenon of 
chaos synchronization, where two chaotic systems can be 
synchronized through driving or coupling [J, Il3j | . While 
synchronization brings certain advantages for practical 
applications, it also presents some drawbacks on the sys- 
tem security 0, 0, Later it is found that even 
for high dimensional chaotic systems, which usually pos- 
sess higher complexity and multiple positive Lyapunov 
exponents, the system secu rity is still vulnerable under 
some sophisticated attacks Besides the problem of 
security, in comparison to those conventional schemes 
used widely in engineering, the performance of chaos en- 
cryptions are also disappointing in other aspects such 
as having low encryption speed and high bit error rate, 
etc 0, ^E ■ How to design a secure while efficient 
cryptosystem has always been a challenge for the chaos 
cryptographer. 

More recently, the study of applying one-way coupled 
map lattices (OCML) for encryption sheds some new 
light on this research One significant point of this 
scheme is that two classical numerical operations, namely 
integration and modulation, are incorporated into the 
chaotic dynamics. With these operations, system se- 
curity, as well as other performance indicators, can be 
greatly improved to a comparable level with those of the 
conventional ones, such as DES and AES 9]. In a most 
recent study |T(il ] , system security is further improved by 
adding a S-box, another technique typically used in con- 
ventional encryptions, to the coupled lattices. As a result 
the capacity of the key space is further enlarged and the 
system becomes even more sensitive on the parameters. 
However, these schemes still suffer from the problem of 
the "continuity" of chaotic dy namics, i.e., correlations 
still exist between the keys |ll| . 

In conventional cryptography, encryption schemes are 
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divided into symmetric and asymmetric methods |20j . In 
contrast to the symmetric methods, the keys in the asym- 
metric methods are generated in pairs, a public key and 
a private key, and it is computationally not feasible to 
deduce the private key from the public key. Anyone with 
the public key can encrypt a message but not decrypt 
it. Only the person with the private key can decrypt 
the message. Mathematically, the process is based on 
the trap-door one-way functions, and encryption is the 
easy direction and decryption is the difficult direction. 
Communication strategies that use asymmetric methods 
for encryption have much greater inherent security than 
symmetric methods, since they eliminate the problem of 
key distribution, which itself can pose the most serious 
security risk. However, most of the proposed chaos-based 
encryption schemes are within the branch of symmetric 
methods, and little attention has been paid to asymmet- 
ric encryptions, or public- key cryptography (PKC) |2l| . 
Whereas all known PKC algorithms are based on some 
hard problems in number theory (factoriation, knapsack, 
discrete logarithms, etc.), it is of great interest and chal- 
lenge to construct PKC algorithms based on dynamics. 

In the present work, we propose a new scheme of chaos- 
based symmetric encryption and, using the proposed 
cryptosystem both as symmetric encryptor and pseudo- 
random-number (PN) generators, design a prototype for 
public channel cryptography. In the new cryptosystem, 
the outputs are extremely sensitive to the secret key. Any 
detectable mismatch of the secret key, of the order of the 
computer precision, will induces a totally different set of 
outputs. Hence this scheme not only overcomes the ba- 
sic problem of "continuity" met in chaos-based encryp- 
tions, but also extends the definition of the secret key to 
all real values in the key space. Borrowing the concept 
of "Merkle's Puzzles" [22], we further construct a new 
model for public channel cryptography where all blocks 
are endowed with spatiotemporal chaos. In comparison 
with conventional methods, the new model is found to 
be more efficient and flexible in some aspects. 

This paper is arranged as follows. In Section II we 
describe our new method for constructing chaos-based 
cryptosystems and, in Section III, we give a detailed dis- 
cussion of its sensitivity and security. The prototype for 
PKC is presented in Section IV, and the system security 
is analyzed in Section V. We highlight the new features 
and advantages of the PKC in Section VI. 



construction attacks |Tj])j they still suffer some inherent 
drawbacks from chaos dynamics 0,EJ- For example, 
when chaos synchronization is used for encryption, the 
keys close to the secret key can still synchronize the re- 
ceiver system to a certain extent, thus forming a key 
basin around the secret key. (For more details about the 
definition of key basin, please refer Ref. Since 
the system security is directly connected with the struc- 
ture of this basin, it be broken down once the location of 
this basin is explored. Based on this, an effective known- 
plaintext attack [53, the error function attack (EFA), 
has been proposed specifically for cracking chaos syn- 
chronization based cryptosystems It is found that, 
under EFA, most of the proposed cryptosystems are vul- 
nerable or not secure at all, and for some situations the 
higher dimensionality does not help to improve system 
security. 

The underlying reason for this "continuity" is that the 
Lyapunov exponent (LE) in conventional chaotic systems 
is not large enough to quickly diffuse the nearby states 
in phase space. It is thus natural to look to the explo- 
ration and construction of chaotic systems with large LE 
for chaos cryptography, at least as far as EFA attack is 
concerned. Along this direction, two methods have been 
proposed 0: (1) using several of the last significant dig- 
its as the output signals and, (2) coupling lattices with a 
weak signal. Through these methods, system sensitivity 
can be significantly improved, and the width of the key 
basin shrinks accordingly. However, as pointed out in 
Ref. 01 j there still exists a scaling between the amount 
of known plaintext and the width of the key basin: the 
more plaintext is known, the wider the key basin will 
be. In this respect, the problem of the key basin remains 
fundamentally unsolved. 

We extend the study in Ref. 0] and aim to design 
cryptosystems that are "truly" ' secure. By this we mean 
cryptosystems with the property that the sizes of the 
key basins are of the order of the computational preci- 
sion (or the measure precision in practice), and which 
remain unchanged with the amount of plaintext known 
to the attacker. Instead of the S-box, we construct the 
transmitter by incorporating a bit-reverse operation, F, 
into the one-way lattice ring of N coupled logistic maps, 
and the dynamics of the transmitter can be formulated 
as 



II. CONSTRUCTING CRYPTOSYSTEM OF 
HIGH SECURITY 

As cryptosystems based on low dimensional chaos have 
been shown to be vulnerable, there have been several 
efforts to improve the security by employing spatiotem- 
poral chaos pj. Although these cryptosystems perform 
well against some conventional attacks (like the differen- 
tial and linear attacks), and can even resist some clas- 
sical chaos-based attacks (like the return map and re- 



x (n) = S N (n)/2 v , 
x 1 (n+l) = (1 -£ X )/[xi(n)] +£if[x (n)], 
x 2 (n+l) = (l-e 2 )f[x 2 {n)]+e 2 f{F[x 1 (n)]/2 v },(l) 
x l (n+l) = (1 - £i)f[xi(n)] + £if[xi-i(ri)], 
f = 4i(l-a:), i = 3,4,...,AT, 

with 

S N (n) = {mt[x N (n) x I0 h }} mod 2 V , 
F(x) = Reverse{int[a; x 10 h ] mod 2^}. (2) 
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Reverse{ } represents a bit-reverse operation which re- 
verses the bit string of an integer and generate another 
integer as the output. 2 V is a large integer and lQ~ h is 
the computer precision. 

The dynamics of the receiver (denoted by variables 
yi(n), i = 1,2, ...,N) is identical to that of the trans- 
mitter except that the first lattice, yi(n), is driven by 
xo(n). It can be proved that the two systems can be 
synchronized under the same driver signal, xo(n), given 
Si > 0.75, i = 1,2, ...,N. In our model, we fix £ 4 = 0.95, 
i = 2,...,N, and adopt E\ as the secret key and define 
the key space as e\ £ [0.95, 1). 

For encryption, at the transmitter side, each lattice ex- 
cept the first one can be regarded as an encryptor. To 
encrypt a message Pi(n) in the ith channel, we simply 
perform an XOR (exclusive OR) operation on this mes- 
sage with the last significant v bits of the information of 
Xi(n), and the output ciphertext reads 

d(n) = XOR [Pi(n),Xi(n)}, 

Xi(n) = {mt[x t (n) x 10 h }} mod 2 V , i = 2,...,N(3) 

The ciphertexts, Ci(n), and driver signal Xo(n) are then 
transmitted to the receiver. The receiver recovers the 
transmitted message through the function 



P-(n) = XOR [CiW^in)}, i = 2,...,N 



(4) 



with Yi(n) having the same definition as Xi(n) but at 
the receiver end. With the same secret key, E\, the two 
systems, x and y, can be completely synchronized, and 
we finally have P/(n) = Pi{n). 



III. SECURITY ANALYSIS 

The key point of this cryptosystem is the bit-reverse 
operation adopted in Eqs. H Since the only secret of 
symmetric encryption is the key, the central task of such 
a cryptosystem is to make the outputs, JQ, as sensitive to 
the secret key as possible. In this scheme, any detectable 
mismatch of e\ (of the order of computer precision) will 
affect at least the value of the last bit in X\, Due to 
the bit-reverse function, this last significant bit becomes 
the most significant one when coupled to X2, and thus 
induces a large difference in X2 and other outputs as 
well. This is further reflected in the behavior of the LE: 
the bit-reverse operation is equal to increasing the largest 
LE (LLE) with a value of about MnlO. Thus, the LLE 
in the newly constructed cryptosystem is estimated to be 



A' « A + /ilnlO, 



(5) 



with A being the original LLE of OCML. For computa- 
tions with double arithmetic precision, h = 16, and with 
the last v — 30 bits of information adopted as the out- 
puts, the value of the LLE for N — 5 coupled lattices is 
about A' ~ 45, a value which can diffuse any detectable 
mismatch of the secret key, £1, to the order of its key 
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FIG. 1: For OCMLs of size N = 5 and T = 2 x 10 6 known 
plaintexts, the EFA results of the second channel for encryp- 
tion schemes: (a) proposed in Ref. and (b) proposed in 
Section II. The width of the key basin in (b) is the same 
as the computer precision, 10 -16 , and does not change as T 
increases. 



space within a few iterations, and thus totally confuses 
the "continuity" property in chaos dynamics. 

For an eavesdropper, it is easier to attack the 2nd chan- 
nel than the others (studies show that the security of 
the encryption channel increases exponentially with the 
size of the OCML Q). We will thus focus on evaluating 
the security of this channel in the following. Assuming 
that the eavesdropper knows the whole dynamics of Eqs. 
n and can find an large amount of plaintext-ciphertext 
pairs, all he/she needs is to explore the secret key, £1, or 
the key basin where it is located (we consider here the 
most common attack used in cryptanalysis: the known- 
plaintext attack). By trying some test keys, e' l7 the eaves- 
dropper can study the structure of the key basin by the 
EFA function [Tif. 



n=l 



(6) 



with T the amount of known plaintext and P' 2 £ , is the 

test plaintext generated under the test key e[. Usually 
there will exist a key basin of a certain width around the 
secret key, and the system security will be compromised 
once this basin is explored. 

In Fig. 1(a), we plot the EFA result of the model used 
in Ref. @| with respect to the mismatch between the test 
key and the secret key, Ae — e[ — e\. It can be found, 
around the secret key, that there exists a smooth basin 
at least with a width of 10~ 7 . With this basin structure, 
once the location of the key basin be explored, one can 
easily get close to the secret key, which is located at the 
bottom of the key basin, using only several test keys by 
some optimized searching methods. As a comparison, we 
also plot in Fig. 1(b) the EFA result of Eqs. [T] It is 
found that the width of the key basin is just the same 
as the computer precision 10 -16 . The interesting feature 
is that, in Fig. 1(b), the width of the key basin does 
not increase with T. We plot Figs. 1(a) and (b) using 
T = 2 x 10 6 known plaintexts, and had also tested dif- 
ferent values of T up to 10 9 . The results confirmed that 
there is no change for these structures, and that the basin 
in Fig. 1(b) still has the width of the order of the com- 
puter precision. This property can be immensely useful 
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in preventing attempts to undermine the system security 
by studying the key basin structure (according to the 
study of Ref. [Tfij . even in systems where the modulo 
operation is adopted, the relation between the key basin 
width, W, and the amount of known plaintext, T, follows 
the scaling W oc T 3 ). 

Two points make this new cryptosystem distinctive 
and advantage to other schemes. Firstly, the capacity of 
the key space can be further extended. Every real value 
in the key space can be regarded as an independent secret 
key, and the number of independent keys in the key space 
is limited only by the computer precision. Secondly, the 
inherent property of "continuity" in chaotic systems is 
now avoided entirely at the level of computational preci- 
sion. This renders it hopeless for those attacks based on 
analyzing the structure of the key basin. For other en- 
cryption performance indicators (such as the properties 
of diffusion and confusion, correlations, robustness, etc.), 
our numerical simulations |23| confirmed that there is no 
difference between this new cryptosystem and the former 
schemes (Ref. dH). 



IV. APPLYING CHAOS-BASED 
CRYPTOSYSTEM FOR PUBLIC CHANNEL 
CRYPTOGRAPHY 

Besides encryption, due to its excellence performance 
on statistical properties, the proposed cryptosystem also 
can be used as a set of pseudo-random- number (PN) gen- 
erators. For this purpose, each lattice can be regarded as 
an independent PN generator, and all these generators 
produce PN sequences simultaneously. We have checked 
the random properties of these sequences with different 
types of evaluations (such as the run distribution, bal- 
ance, power spectrum density, etc.) for arbitrary plain- 
texts, and they passed all these checkings satisfactorily 
|23|. In addition, in comparison with the conventional 
PN sequences, these new sequences possess extremely 
long periods which increase exponentially both with the 
system size and the computer precision. Another inter- 
esting observation is that although there is no statistical 
correlation between these sequences, teh lattices are still 
under the dynamical relation of generalized synchroniza- 
tion (GS) [22| . This special property can be of great use 
in certain situations where a large number of indepen- 
dent PN generators are required to operate simultane- 
ously, and yet are to be kept in step in some sense. The 
GS relation between lattices also makes it possible to ma- 
nipulate all these generators with only a few controllers. 
Rather than adjusting all parameters in the generators, 
now we are able to generate a totally different set of PN 
sequences through resetting only one or a few parame- 
ters. 

In the field of conventional cryptography, there is one 
type of PKC, namely the "Merkle's Puzzles" , whose secu- 
rity depends on the protocol rather than number theory. 
Different to the other PKC schemes, where both the pub- 




OCML "K" OCML "A" OCML "B" 



FIG. 2: Prototype for public channel cryptography con- 
structed by three OCMLs. The dash lines represent feedback 
or driving signals, shadowed numbers represent the identify- 
ing codes, and "//" means OCML "K" is triggered each time 
T'. 



lie key and private key are predefined, in "Merkle's Puz- 
zles", both keys are decided by the receiver at random, 
and the keys will be destroyed after each transmission. A 
set of independent PN generators and one efficient sym- 
metric encryptor are the basic blocks for this PKC. In 
conventional methods, usually it is difficult to manage 
(mainly store and compare) such a large number of PNs; 
it is also not easy to find a symmetric encryptor whose se- 
curity can be adjusted flexibly so as to keep pace with the 
improving computer speed. In this section, we will apply 
the above proposed cryptosystem on "Merkle's Puzzles" . 

The prototype of the PKC is plotted in Fig. 2. The 
transmitter is composed of two OCMLs, OCML "K" 
("K") used as PN generators and OCML "A" ("A") used 
as symmetric encryptor. The receiver comprises the de- 
cryptor OCML "B" ("B"). All OCMLs follow Eqs. □ 
Without " K" , the dynamics of the transmitter is identi- 
cal to that of the receiver, and it is just the cryptosys- 
tem for symmetric encryption proposed in Section II. 
"S" represents the bit-reverse operation in Eqs. El "K" 
has two functions: (I) generating plaintext for "A" and, 
(2) modulating the coupling strength of the first lattice 
(which is used as the session key for the symmetric en- 
cryptions between "A" and "B"), e hA , in "A". "K" is 
triggered for each time interval T", a session during which 
both the plaintext and £i t A remain constant. Following 
that, in the next T" iterations, "A" encrypts the plain- 
text outputted from "K" repeatedly under the session 
key £i,a(J)' with 3 the iteration time of "K" . 

For the transmitter, the only secret is the parameter 
et,K- Both the dynamics, "K" and "A", and the initial 
conditions of "K" are public. The transmitter has two 
missions: producing a large number of encryption ses- 
sions and deducing the private key chosen by the receiver. 
For the receiver, the dynamics is public and, before de- 
ciding on the public keys, the authorized receiver has no 
privilege over the eavesdropper. The task of the receiver 
is to decrypt one of the transmitted sessions at random, 
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and returns the decrypted plaintexts - the public keys - 
to the transmitter through the public channel. 

The details about how to transmit a private key 
through the public channel can be described as follows 
(for OCMLs of size N = 5): 

1. "K" generates 5 integers, Xi^ij), i = 1, — ,5, by 
Eqs. |31 and marks each of the later four integers 
with an identification code I^k- For instance, in 
Fig. 2, let us assume the binary format of the gen- 
erated integer by x%,k is X 2 ,k(j) ='001', and mark 
it with an identification code I 2: k ='000000'. (For 
simplicity, the word lengths of the integer and the 
identification code here are just used to illustrate 
the operations, and in actual simulations both are 
with the word length of v — 30.) The identifi- 
cation code is only used for marking the channels 
and is also public. There is no identification code 
for Xi^kU), which will be used to modulate the 
parameter £\ : a in "A". After this, "K" will be dor- 
mant until triggered again for the next session after 
time T. 

2. Treating all the marked integers as plaintext, each 
channel of "A", according to Eqs. |31 encrypts the 
same plaintext repeatedly for T' times under the 
same session key, Ei.aO), which is modulated by 
the integer Xi^{j) through function 

e l!A (j) = 0.95+±X 1 , K (j)/2 v . (7) 

3. The transmitter repeats steps (1) and (2) until 
a large number, L, of sessions are generated and 
transmitted to the receiver. 

4. "B" chooses one session at random and performs a 
brute-force attack to recover the session key ei^C?) 
by checking the decrypted channel identification 
codes (which are predefined and public) through 
synchronization. (T 1 is set so as to ensure that 
"A" and "B" can be synchronized for any random 
initial conditions. In this prototype, T' = 100 is 
large enough for this purpose.) This is a large, but 
still manageable, amount of work. 

5. After being able to crack one of the sessions suc- 
cessfully, "B" keeps the last recovered plaintext 
A5,if(j) as the private key and returns all other 
recovered plaintexts, X iy K(j), i — 2,3,4, to the 
transmitter together with their identification codes. 
The return messages are transferred to "K" in the 
form of plaintext and are public to everyone. These 
plaintexts make up the set of public keys. 

6. After receiving the public keys, the transmitter 
runs "K" with the predefined initial conditions 
(which is also public) and his secret key £\.k 
(known only to the transmitter). Once the outputs 
of the lattices match up the returned public keys 



in each corresponding channel simultaneously, the 
transmitter will know that the output of the last 
lattice, X5 j k(J)h is the private key which the re- 
ceiver had chosen, and which will be used for later 
communications . 



V. SECURITY OF PUBLIC CHANNEL 
CRYPTOGRAPHY 

The security of this PKC depends on the number of 
sessions transmitted. The eavesdropper can break this 
system, but he has to do far more work than either the 
transmitter or the receiver. To recover the private key 
^5,if(j) in steps (4) and (5), on average, he has to per- 
form a brute-force attack against about half of the trans- 
mitted sessions generated in step (3). Assuming that in 
total there are L sessions transmitted in the public chan- 
nel, the attack of the eavesdropper has a complexity of 
L/2 times that of the receiver. The public keys, Xi t pc(j), 
i = 2,3,4, will not help the eavesdropper either; they 
are independent PNs generated by the cryptosystem Eqs. 
^ In general, the eavesdropper has to expend approxi- 
mately the square of the effort that the receiver expends. 
This advantage is small by cryptographic standards, but 
in some circumstances it may be enough. For instance, in 
simulations (on a Pentium computer of 2GHZ CPU and 
521M RAM, Fortran90 compiler), we set the duration for 
each session as T' = 100 and the key space of the range 
£i t A G [0.95,0.95+ 1 x 10 -8 ], the transmitter can gener- 
ate about L ps 1 x 10 8 sessions in one minute, and the 
receiver needs another minute to explore one session key 
EIjAO')- However, with the same computing facilities, it 
will take the eavesdropper about two years to break the 
system, a time that is likely to be longer than the useful 
lifetime of the secret message. 

The eavesdropper can of course attack only the pri- 
vate key X$ k used in the later communications, with- 
out considering the problem of PKC. But with the sys- 
tem under consideration, the private key can be com- 
bined randomly and adjusted freely both in length and 
position. While this add no additional cost to PKC, it 
will be a disaster for an eavesdropper and he/she finally 
has to fall back on attacking the sessions. Meanwhile, 
the excellent performance on correlations of the system 
prevents any attempt to deduce the private key X^ } k{j) 
from the public keys X i: K(j), i — 2,3,4. The knowl- 
edge of the initial conditions cannot help with predicting 
£i,k{j) or X§ K (j) either. With the bit-reverse opera- 
tion, the difference between two corresponding outputs, 
AXj^fj) = \Xi t ic(j) — Xi,K'(j)\, increases to the order 
of attractor size within a few iterations, and after that 
the behavior of the two systems are totally different. (For 
example, with N = 5 and Ae = Ei : k — £\,K' = 10~ 16 , it 
needs only about 5 iterations on average for AX > 1/3, 
a smiple criterion in testing randomness 0.) So the only 
thing the eavesdropper can do is to find out the secret 
key £\,k- The problem of security returns to that of the 
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symmetric cryptography and, according to our security 
analysis in Section III, there is no shortcut but to try all 
the possible values of e-y^K m [0.95, 1) or an even larger 
range. 

In summary, the practical security of PKC only relies 
on that of the symmetric encryption, both for the PN 
generators, "K", and the encryptor, "A". Given that 
there is no systematic cryptanalysis developed for the 
new cryptosystem, the proposed PKC will be secure. 

VI. DISCUSSION AND CONCLUSION 

While the incorporated bit-reverse operation improves 
the security of the chaos-based cryptosystem to a new 
level, the adaptation of this cryptosystem for PKC brings 
new features and advantages for other real applications 
as well. 

• Unlike conventional approaches, the same cryp- 
tosystem, Eqs. n can be used both as encryptor 
and PN generators. This feature can bring certain 
convenience both for security analysis and model 
design. 

• In conventional methods, the transmitter has to 
store all the PNs in a group and find the private 
key which matches up the returned public keys by a 
brute-force comparison, which usually involve large 
amounts of memory space and computer resource. 
By adopting "K" as the PN generators, all these 
keys can be automatically regenerated through the 
dynamics of OCML. Since the security of PKC re- 
lies on the number of sessions transmitted, this 
property also makes it possible to implement PKC 
in situations where memory space is scarce and 
computer speed is limited. 

• Although one could replace each lattice in " K" with 
a separate conventional PN generator, in real appli- 
cations it is usually hard to keep them working in 
step. But this problem does not appear for OCML, 



where all sequences are outputted simultaneously 
under the relation of GS. 

• The process of recovering the private key X 5 x(j) 
from the public keys -X^x (j), i = 2, 3, 4, is achieved 
by the trap-door Ei : k, the only secret of the trans- 
mitter. With the trap-door, it is easy to recover 
all keys of the chosen session, but this fails for any 
detectable mismatch. In this regard, the proposed 
OCML actually can be used as a one-way function 
with the trap-door e\ t K- 

The proposed PKC also enjoys all advantages of tra- 
ditional chaotic systems. The security of encryptor "A" 
can be updated easily either by enlarging its key space or 
combining more couplings as the session key, which make 
this scheme easily adjustable to different security require- 
ments. In addition to the implementations on software, 
the proposed scheme is expected to be efficient on hard- 
ware as well, judging from the progress in chaos experi- 
ments 25]. The dynamics based cryptography makes it 
not only easy to formulate and analyze system security 
in theory, but also simple to design and operate the con- 
structed cryptosystems in applications. Meanwhile, the 
performance of PKC can be further enhanced by chaos- 
based spread-spectrum communications j23|. Whereas 
the security of PKC relies on the number of transmitted 
sessions, it is highly recommended to transmit these data 
through a wide-band channel so as to achieve a fast speed, 
and chaotic signals, with their excellent performance on 
correlations, can be used for this purpose directly. 

In conclusion, we have proposed in this paper a way 
of improving the security of chaos-based cryptosystem to 
the order of measure precision, and applied it to PKC 
by using the system both as PN generators and symmet- 
ric encryptor. Incorporating the conventional bit-reverse 
operation, we successfully overcome the problem of " con- 
tinuity" in chaotic systems, and equip the conventional 
scheme of PKC with new characteristics of spatiotempo- 
ral chaos. 
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